Army Software Factory, CMMC Impact, and ATX Defense with Zach Walker

Show Notes

In this episode of "The Startup Defense," hosted by Callye Keen, we delve into the complex world of cybersecurity and defense innovation. Joined by cybersecurity expert Zach Walker, the discussion revolves around the evolving landscape of security regulations, including the Cybersecurity Maturity Model Certification (CMMC). 

Topic Highlights:

[00:00] - Introduce Zach Walker
Callye Keen introduces Zach Walker, Co-founder ATX Defense, an organization that helps national security organizations integrate revolutionary technology, scalable processes, and long-term viability into operations.

[02:55] - Understanding CMMC and Its Evolution 
Zach Walker introduces the Cybersecurity Maturity Model Certification (CMMC) and explains its significance in the defense industry. He highlights the evolution of CMMC and its role in strengthening security regulations.

[06:45] - Challenges and Confusion Surrounding CMMC 
Callye and Zach discuss the challenges and confusion many companies face when dealing with CMMC requirements. Zach emphasizes the need for clarity and proper guidance in compliance.

[12:18] - Empowering Startups in the Defense Space 
The conversation explores how startups can play a pivotal role in driving innovation within the defense industry. Zach and Callye discuss the importance of bringing new entrants into the ecosystem.

[15:52] - CMMC's Impact on Business Operations 
Zach elaborates on how CMMC compliance can significantly affect a company's ability to secure defense contracts. He emphasizes the importance of understanding and preparing for CMMC's implications.

 [23:32] - Army Software Factory and Institutionalizing Innovation
Zach Walker shares insights into the Army Software Factory and its mission to empower service members to drive innovation in software development. The discussion highlights the culture shift required to embrace emerging technologies.

"To me, what's so special about the Army Software Factory, being in the reserves and, coming from the defense innovation unit, they have made good on that promise of empowering soldiers, service members to be part of the solution." - Zach Walker

Callye Keen - Kform

https://kform.com/ 

https://www.linkedin.com/in/callyekeen/ 

https://youtube.com/@kforminc  

https://twitter.com/CallyeKeen 

Zach Walker - Co-founder ATX Defense 

atxdefense.com/cmmc

Zach led the Defense Innovation Unit’s Texas office from 2017-2020 and has over two decades of national security experience with service in the Army, Air Force, NSA, CIA, and at the Pentagon.  He co-founded ATX Defense to help national security organizations integrate revolutionary technology, scalable processes, and long-term viability into operations. Zach serves as the Chief Innovation Officer for the Texas Air National Guard and has worn the uniform since 2001.

Chapters

• 0:00: CMMC's Impact on National Security
• 11:15: Understanding the Challenges of CMMC Compliance
• 23:57: Software Development Organizations in Austin

Transcript

Speaker 1: 0:00

fast forward to 2023 and people would say oh yeah, my mom just got a Ciber. Yeah, she's got a Phase 1. It's great, I love it. Yeah, my cousin got one too. Yeah, everyone understands now what it is and they're involved, and I think that's such an important thing to have.

Speaker 2: 0:11

Welcome to the start of the defense. My name is Callie Keen. Today we have Zach Walker. Zach, you've been an assistant director for Operations Cyber Innovation at the Air Force, but now you are the managing partner of ATX Defense and I see you posting information on CMMC, which is kind of the boogeyman of the Dib right now. So I really want to reach in and talk to you about that, get your perspective on this before we dive in. What are you passionate?

Speaker 1: 0:38

about right now. That's a tough one. Well, first off, callie, thanks so much for having me. Like I was saying earlier, if you had a show, you really enjoyed listening to some of my former colleagues wax poetic about defense and national security. I know it may sound easy or tight, but I'm really passionate about national security. It's a field I've been involved in since I turned 18, joined the Army after the 9-11 attacks, and I've just always found myself drawn to the mission of it. And now I'm doing it as you suggested, owning a company and trying it on the private sector side, which is different. It's certainly got its benefits and drawbacks, but whether as an 18-year-old enlisting in the Army National Guard or my time in the intelligence agencies or defense innovation unit, I've always found myself drawn to doing something that has some kind of an impact on national security. Or maybe you could say it just can't hold out a job and I just like doing lots of different things. I say that's what I'm passionate about, so I figured this would be a good place to talk about.

Speaker 2: 1:34

Yeah, it's fantastic. I think we both share that love of national security and defense. I mean, it's really what I've spent the majority of my life doing outside of doing some fun things designing a hair tool, working with startups, doing this and this and this but this is what my family's always done. We've been in defense manufacturing for more than 80 years, so it's kind of like grew up doing this thing and I've seen this evolve from a very literal mom and pop our business being mom and pop business to a sophisticated business. I've seen the market, so the defense industrial base, the Dib, go from literally just thousands and thousands of these very small shops larger contract manufacturers. I've seen it go from that to a very sophisticated market with million-dollar equipment and complex IT systems. And it's kind of teeing up.

Speaker 2: 2:26

This change where I might be a little bit more pessimistic because I'm inside this bubble as the CMMC change, I feel like it's very necessary because a lot of the equipment that's out there, a lot of the way that information is being passed around, is ludicrously insecure and people are working on very sensitive projects but right down to the component or the equipment that's making the components, is very insecure from a national security perspective, but it's also like it's not the vector of sophistication that people have. Somebody might be running a million-dollar piece of equipment and have decades of experience in making aerospace components, but cybersecurity is not really on their radar. I kind of wanted to walk through this with you about CMMC, your perspective on cybersecurity in supply chain or just smaller businesses.

Speaker 1: 3:17

Yeah, cmmc is. It's really interesting because it's where national security and the distance, industrial-based cybersecurity, just so many things, intersect and, like you were saying, these very small companies that are maybe eight or nine tiers down from a major defense supplier. Their J20 fighter looks like the F-22. It's not a coincidence. It's not because they're a huge fan of the US Air Force, although I can't blame them. It's because it's been so easy to go for this sensitive information. It's not classified information, it's called control and classified information. It's something as a guvvy.

Speaker 1: 3:50

I've spent 20 plus years as a reservist and about time on exit duty as a government employee. You don't really think about it because everything's kind of allegedly protected not really, but it's all a secure network allegedly and there's just no consequences. There's no consequences for mishandling controlled and classified information, or even information that isn't public but isn't controlled, called like federal contract information that companies deal with, which is something I just had no constant of as a gubby. Right, oh, this information that companies make that isn't controlled but it's also not public, they still need to protect it, and so that's that's the challenge that we're now is. This data has been taken from us for so long, for decades. At this point the duty is finally doing something about and that's called CMMC. It's everyone's favorite or letter word and in DOD, because what happens is that companies like myself I got in this. I promise you I never, ever thought I would be into compliance. It's like literally the last thing I want to do and I still hate compliance. But it's so important again because national security this is happening and it's really a very interesting time because the DOD is going to implement this and whether companies are ready or not and there may be some final things that DOD has to tie up with timing implementation. But if a company has a DOD contract, they're going to have to be compliant to some level of CMMC.

Speaker 1: 5:15

For fun got a quote from one of the big companies that does this work. They quoted froma five person company. They said it would be two hundred thousand dollars to get us compliant for the first year and then a hundred thousand dollars a year thereafter, which is absolutely insane and I now realize it doesn't have to be like that. But that's what companies are being told, and so one of a few things will happen. One they'll pay these consultants like a king's ransom and get them up to compliance levels, and I guess you know that works on a business perspective.

Speaker 1: 5:46

But my real fear here is that the companies that we're talking about, like the little mom and pops that maybe they do make this little widget that goes on playing and they bring in half a billion dollars a year from the government in order to do that, they might say you know what, I don't think that's worth it anymore. I don't think I want to get this business and I don't want to have to Update my windows 95 machines to whatever it is now and they'll and they'll exit the market or they'll get sold to private equity or they'll be even more consolidation as they get rolled into larger and larger defense primes. Which Race is the price for everyone or what? My real fear is, having come from this, the defense innovation unit previous to starting my company diu at you, we spent the better part of the decade trying to coax dual use venture backed idros companies to work with the department of defense and we had always amazing Mechanisms for the do so with other transaction quality and things like that.

Speaker 1: 6:36

So much time and effort games companies to finally start working dvm providing Really a valuable to use technology, and now I'm my fears that we're gonna scare some of them away with cnmc because it is so ambiguous, it is so expensive and, frankly, it's Extremely difficult for a company who doesn't do defense at his primary business To me and be compliant. And still, when do you work? So that's how I got into compliance after never thinking I would do it.

Speaker 2: 7:03

I'm gonna share some opinions and I want to jump back to the Balance between innovation and compliance, because in this industry it's really those two things have to be metered together. Right, but one we've already seen massive Exodus and consolidation in defense industrial base. Because one there's been some budgetary issues which Cause problems for smaller suppliers. They can't weather inconsistencies in the market very easily that's come over time. But predominantly is a An aged out industry, right. So the entire military 90% of those parts is machine parts are done by very small businesses that are owner operated and those owners are just exiting. And if you have a small job, shop or contract manufacturing business, you're not gonna really sell it. In the same sense you sell like a software company. That is intellectual property. If you have contracts you could sell. And I think there are more smarter P is to your point that are rolling up these companies and they're interested in doing that, but predominantly they just close their doors. Right, they don't have your sons or daughters. I want to run the company. They just close their doors and say I had a nice life, I made decent money, I'm gonna go retire this lake and hang out with my wife and that's that. And so we're seeing this massive, very quick shrinking of the Dib. There's startup Hadrian, which has gotten a lot of attention. They got significant investment recently, similar to the tune of $70 or $90 million. They're essentially a machine shop. It sounds very fancy, but they're a more automated machine shop.

Speaker 2: 8:35

To solve this problem by starting from scratch, they can kind of bake in things like CMMC controls, because right now all of defense manufacturing is a dual use supply chain. All the companies that make those parts, they do many different things and it doesn't afford their business model to do just defense. In general, k-form is 99% defense. It's because of this issue, so we just don't do other things. Most other companies that are just, you know, smaller contract manufacturers. They're part of a dual use supply chain, which is not a concept that's commonly talked about. But they make commercial products, automotive products maybe, if they're very technical, but generally they just make stuff for startups or innovators, for the local ecosystem. They might repair parts. They just do all kinds of things, and so not all of that has the burden of CMMC or FAR compliance or physical security requirements or what have you. And by making compliance more important than innovation, what's gonna happen is you're gonna have a sole purpose supply chain, which I feel like longterm is gonna be weaker because it'll be only able to focus on aerospace defense and space. That that'll be it. You can't have a company that does a lot of different things anymore because of the way that compliance works, so I'm kind of scared for that.

Speaker 2: 9:55

I'm very interested in secure supply chain in general for electronics, for manufacturing, but for just general knowledge work, the software bill of materials, or you think of knowledge bill of materials. Like where do these ideas come from? Where are they going? Like, what do I need to pack together to implement something? I think that dual use has gotten very popular but we're not really thinking about, well, they come from dual use sources as well, they don't come from singular sources. You have a really broad set of experiences from being in the army, being at DIU, now being founders, so I kind of wanted to get what do you think of that concept of dual use supply, not just dual use as far as that endpoint, but the whole generation of an idea or knowledge.

Speaker 1: 10:42

Yeah, and that's actually a really interesting question that you bring up and it's addressed when it comes to all the compliance rules as well, because at some point you'll obviously ideas are considered controlled information, but when you get schematics or processes that are put in place that are sensitive, that's when things get very confusing and, from what I found talking to other companies, they have a hard time knowing when that line stops and the line of information has to be safeguarded and controlled starts and it can be difficult to know and there certainly are some different criteria that companies use. But it's not just. I'm mentioning the hardware companies, which I think really are the classic, the pliers of the defense industrial base and Yogan, talking about them on PopShop, that's seven or eight layers removed from the defense prime, making hardware parts. But even my company, right, atx Defense. We're primarily in management consultancy. We're helping the Army build software development organization in Austin, texas, right, we're subject to all of this as well. All of the Ciber companies, right, even if it's if we're the hardware and software, its ideas.

Speaker 1: 11:46

If these companies have contracts that have a very specific clause it says that they have to protect controlled and classified information then their entire system has to be compliant with this regime. That's the these hundred and ten of controls, 320 objectives, and there's ways to do it that are manageable. Again, that aren't a quarter of a million dollars, but it's certainly not easy. And I think it gets to your point of how many of these companies will say either yeah, it's time to hang it up, it's been a good career time to go live on the beach somewhere.

Speaker 1: 12:17

Or, again, my biggest fear, the companies that are finally in transcendence market, whereas now they have a good commercial revenue stream. But government is something they slowly started to build, whether it's from a Ciber or a CSO or some other mechanism, and they'll just look at it and say we're not gonna do this, it's not worth it, it's not worth it. And where the sales cycles are slow, right, we love our country, but if our country's gonna make us follow this insane compliance regime, can't bring down my company with it. That's my fear. That's why I wanna come on the show and try to perhaps de-mystify CNMC a little bit, because it doesn't have to be a do-it-stay scenario, and maybe I should start with this right.

Speaker 2: 12:52

Yeah, let's talk about this because, quite literally, people are looking at SBIR opportunities or other funding vehicles and we love talking about government-led, non-dilutive funding vehicles for ideas Like I love it. I think that it is such a great source for innovators to enter the market. But if you think I'm gonna get $180,000 out of the Air Force or I'm gonna get $250,000 out of NSF grant or what have you, you're looking at a different SBIR or an innovation challenge vehicle and then you realize, hey, I just got a quote for 200K to be CNMC compliant, but I'm only gonna get $180,000 out of the Air Force. Like I'm gonna be underwater right off the get. So I don't wanna enter this market and it doesn't have to be like that. So I'd love to jump into that?

Speaker 1: 13:40

Absolutely no, and that's an excellent point. I think that's a great example. A company that gets a phase one SIVR, which you have 75K, whatever it is, they won't necessarily have to meet all of the requirements at that moment, but then if they wanna phase two, they wanna get the larger money. Not every situation, but in many times they will have to meet those requirements for commercial and class-side innovation, which, again, it's a lot. So what's the company to do? Honestly, they're again it also sounds a little trite, but a company just has to do what's in its best business interest and they have to do their own research and try to understand what it actually means, because the rules are onerous. But again, they're there for a good reason. Like we're saying earlier, the Chinese J20 looks just like an F22 because they're really good at getting this information from us.

Speaker 1: 14:20

With the advent of cloud technology and more modern collaboration and secure tools that are out there, there are ways to offload a lot of the risk onto commercial cloud providers with some safeguards. You know, you don't have to completely change everything you do For a lot of companies, what they'll do for something called an Auckland, where they'll just say, okay, we'll have a new email domain. You know it's secured at ATXTestcom and whenever we email the government we will do it on that email address. We will only access it from certain devices in a certain place and then that's how we'll do CMMC right, because if you're a company like mine that's primarily knowledge work or consulting or ideas, you're not writing some sort of, you're not making hardware. That's a really good solution is to be able to kind of partition that so you can focus on your commercial work and you don't have to worry about, if you're saying, spending all of your silverware just getting compliant. Just companies, you know they can do that and do that research to understand that you never have to pay a consultant a quarter of a million dollars to get yourself compliant. Now, if you are writing source code like a company I'm working with us they're making hardware, the writing source code right there in it, and so source code is that protected? Well, if it's under a contract, source code is considered to be vertical technical information. I mean, it really is kind of, as you can imagine, like the bread and butter of something that an adversary would want to take. So unfortunately that is something that would have to be protected. But again, there's ways to do it. There's ways to mitigate that, to partition it out from the regular business operations.

Speaker 1: 15:45

If you're going to be 100% or 95% or 99% your case DoD focused company you are going to most likely have to just back it up and figure it out and find a way to implement it in a way that doesn't destroy your company. And that's the other part. As I was doing this initial research, it's just hard to find information. It's almost like an information asymmetry thing. I don't think it's intentional. I really don't. I don't think the DoD intentionally said let's just put out a lot of big information and then let companies just completely freak out. I really I don't think that was the case, although that may be how it's come out right. There are ways that companies can look at this and kind of come up with a plan to do it in a way that makes financial sense for them. But it's not easy and it will change.

Speaker 1: 16:28

That's the other part too. Is everything I'm saying right now could change before what's called final rulemaking goes into effect? That's the other weird part here. Some companies are already undergoing assessment. They're getting something called. It's called STRS, so Supplier Performance Risk System Score. They're getting their scores. They're putting them in DoD systems, but CMMC isn't technically official yet.

Speaker 1: 16:50

So if anyone ever tells you, as of October 10th 2023, that CMMC is an official final thing, then they are lying to you. It's close to being done. The best guess is that likely sometime early fiscal year 25, it will be required and it will be required in order to win contracts from DoD. But that's a year away and it very likely could take a year for many companies, if they are going to do its little conversion and to CMMC compliance, to get ready for that time.

Speaker 1: 17:19

What's funny about this is that all of these rules have actually been aroused since 2017. So there's this thing that's known as 7012. So I think it's DFARS 252.252.254.70. Again, something I never thought I would know or want to know in life before this. But the 7012 essentially says effective 2017, if you handle control of classified information or cover defense information, write source code specification all the things that the Chinese and Russian want to take from you. If you have that, you have to meet all these rules and controls, like all the CMMC stuff. You were supposed to have done that starting in 2017, but it was self-attested. Companies could pinky swear.

Speaker 2: 18:00

No.

Speaker 1: 18:00

I totally did that. Yeah, yeah, got perfect score. I've read that 75% of companies did self-attest, that they had perfect scores and when they were checked, basically 0% of companies were accurate on that. Again, not claiming some kind of big conspiracy, but it's confusing. And when you go to a website and they say, put in your score, if there's no accountability and you don't really know what it is, you just say, yeah, I got a perfect score, it's fine.

Speaker 1: 18:21

But the reality is what's behind it is something that's very complicated, very serious. The CMMC is just a way to take the rules that already exist and find a way for DOD to enforce them, because self-attestation is just simply not working and it hasn't been in, it never will. That's not how business works in America. You're going to have to trust and verify in this situation. So probably within the next year it'll happen again. The rules still to be fully determined.

Speaker 1: 18:46

There's a chance things could get delayed or changed, but I would say sometime, starting in fiscal year 2025, it's very likely that companies will have to show that they meet all of those CMMC controls. There's a hundred and twenty controls, three hundred and twenty objectives as of today, which again could change. They have to show that they meet those in order to win contracts that have controlled a classified information in them. And then if you're a subcontractor, the prime contractor will have to validate you and you'll also have to get usually a third party assessment, a company, a white line, that comes in and charges you. It's not a charity right, it's a very expensive proposition, but have a company that comes in that does a forward third party assessment and then determines if the score is what you say it is. So it's a lot it really is. I like to say there is a light at the end of the tunnel with all this, but that light is a train coming very quickly with lots of rules and regulations, and companies just need to be aware of it. That's really it.

Speaker 1: 19:42

It's certainly not the time to try to scare people, and I hate the tactics that some companies use to try to scare others. They bring up things about the False Claims Act, which there have been some stories in the news Companies that have falsely attested to being compliant and then later have been found out that they're not, and they get in pretty big trouble. It's not about scaring companies, right? Again, we don't want these companies to leave the defense industrial base, especially for these dual use companies that maybe have only started working with DOD in the last five years because of all the defense innovation activities. We have to retain these companies and the data. It's too important for national security not to but CMMC is something that they're going to have to understand. But do the research. Talk to someone. Don't take the first hold or information that a company may give you right, you just have to watch out for yourselves but just understand. It will be difficult, but it doesn't have to be the reason that you leave the defense base.

Speaker 2: 20:32

If you're a sub, you've already been forced by Primes to start this process right. This is the other interesting thing. We've been on this road for a really long time and there was really no service providers around 800-171 now CMMC at that time and then they'd say, hey, it's not required until later. I'm like, well, if you work for one of the large aerospace Primes, they require it if you want to get work from them, because they want to make sure that their supply base is ahead of the contracts. It's very interesting from the small business perspective is they had to become early adopters in the space because if Boeing's going to win an award next year or the year after that is going to require CNMC, they want to be able to turn around and release it to their consolidated supply base that is already compliant. They've been doing this for the last year and a half or two years with pretty strong effort. All of the larger primes. That's already forced an interesting conversation and consolidation from peers, friends of mine, just saying how do I do this, how do I do that? Come up with different flavors. For some people it's very simple. It's just use a tool. Like you say, build an enclave, get another domain. There's some pretty approachable tools for that. A lot of people it's been like change everything, change your infrastructure, change your whole business, how the whole business works, and so they've had to make that choice.

Speaker 2: 21:59

To me, it's part of a broader conversation is I'm interested in making cool stuff. That's all I want to do. I want to work on interesting things with interesting people, people that I like, work on things that I like. I really enjoy making advanced electronics for national defense. I think it gets to flex a lot of mental muscles. I feel like it's mission-centric. I like doing it. I'm going to put things in that bucket. I want to move fast. I want to move fast like a startup. I want to see an opportunity or talk to an operator. I want to talk to somebody that's in active duty and they say I wish this existed and I want to come back and I want to make it and get it in their hands. That's a lot of what DIU has been fostering that kind of commercial speed into the market and push through other programs and really change how investment is happening.

Speaker 2: 22:51

We talked about David being on the show and the tides shifting in Silicon Valley of investment. We think of Silicon Valley speed, attacking a problem and getting things lean into somebody's hands, but then balancing that with okay, well, let's do it in a controlled, secure manner. I think that puts us in an interesting space. Maybe this is a good way and this is a big shift in the conversation, but I saw what you're doing with ARMY, with a software factory, and I don't know enough about that.

Speaker 2: 23:23

I do understand the concept of software factory and we've talked to lots of AAL people on the show and a lot of people around ARMY Innovation Future Command. It's just a really interesting idea. I think it runs into a similar problem. It's like we want to move fast and do interesting things, but we also want to do it in a mission-centric, safe, secure way. I wanted to tee up so I could learn a little bit more about the software factory what you can share and what makes sense to share. How does that play into this concept of security and innovation meeting in the middle?

Speaker 1: 23:57

Yeah, austin has had such an amazing round of defense innovation organizations in the last half decade, starting with DIUX formerly Nell Defense Innovation Unit in 2016 when I got involved, followed by Air Force AFWIRX and Air Force Army Futures Command. And National Geospatial Intelligence Agency. National Security Innovation Network, the ARMY Applications Lab, jim Ornwick with AFC it's just amazing. It's amazing. We joked that we could have these joint interagency meetings. Of course, the other bureau comes and some others. It means it would take a month to get a little bit easier. Just hang around having coffee in Austin. It was really a magical place to be in this space, especially, honestly, pre-covid right? Especially because before COVID hit, the DOD was absolutely certain it was impossible to work from anywhere aside from DOD buildings until sometime in March 2020 when they suddenly realized actually you could do that work, but no problem, here's some tools to let you do it. But before COVID bringing someone from the Pentagon to downtown Austin, it just blowed their mind right. They would see you were on the 16th floor of a building. We'd see this beautiful view of downtown. There's like kombucha on tap and they just couldn't understand how you could work in a place like this and still get work done and still do important national security and defense-related work, and that really was the magic of Austin. You know, covid certainly hurt in that sense of no travel for a long time, and then DOD kind of got it Like oh yeah, we can actually work in places that aren't dark, windowless rooms where dreams go to die, where I've spent a lot of my time in my career, which overall is good. Right, it's very good for the federal workforce, but that was definitely something that we had going for us in Austin and it's still an amazing place.

Speaker 1: 25:32

So you mentioned Army Software Factory, army Applications Lab. You know, army Futures Command itself, right, the four-star that generally just kind of walks around Austin in a polo shirt out of a university building. It's just extremely weird and that's what we're all about in Austin. It's weird, so it fits in really well. Army Software Factory there's a lot of information about it online. To me, what's so special about it?

Speaker 1: 25:54

Being in the reserves and coming from the Defense Innovation Unit, they have made good on that promise of empowering soldiers, service members, to be part of the solution, and that is just so hard to do. You know, look at something like what the Air Force did with Eric Kessleron, which started off as a DIU prototype effort. You know it's pretty much about the technology and the tools delivered and the program that was being supported. And certainly Kessleron has done some amazing things and it's amazing organization. First commander was a amazing human, former DIU exer.

Speaker 1: 26:24

But fast forward six years and there's not really a institutionalization of software development in the Air Force. Right, there's a couple dozen software organizations. I'm a Lieutenant Colonel in the Air Force, in the International Guard. Now there's not a path for someone like me, even if we're junior in rank, a path for me to become a software developer and have a career in software development. That's something that's really unfortunate. I think it's something that just broadly emerging technology, or just even getting back to even the CEO of CIMC conversation just emerging technology in general in the department of sense is something that we can be really good at acquiring or sometimes integrating into programs or record. But when it comes to institutionalizing and actually empowering service members to do that work and do the implementation, we have a really, really hard time with that. I mean, look at cybersecurity. I spent about a decade at NSA and CIA in the cyber realm. It really wasn't until the mid-2020s state. 2016 is when the arming really revamped their cyber career fields. I know the Air Force was way ahead back in 2008 timeframe, but even 2008,. I mean, that was 20 years after China was exfiltrating all of these plans and data from people's desktops. It's very slow to adapt and I think we've seen that in all of these emerging technologies. Ryan L Software is that thing that is starting to be institutionalized.

Speaker 1: 27:41

Of course, no podcast about defense would be complete without someone saying the word artificial intelligence so glad I got that one out there. We can check that box. What if there were service members that were using operationalizing artificial intelligence? Just think all the people at companies obviously not mine, of course, but others that are using chat, gpt and other kind of tools that make their jobs easier. That was the promise of artificial intelligence, at least when I was at the Pentagon.

Speaker 1: 28:05

It's not to replace humans necessarily. It's to make them better at their jobs and more efficient, and I think that's what's so cool about things like these LLMs that make someone just that much more effective, especially as consultants again, until they're filing illegal briefs with fake info. But just the way it should work where it makes someone more efficient, more productive. What if we had platoons or squadrons in the service that had people focused on operationalizing artificial intelligence in that way. We just don't, and I think we will. I think it might be like 2035 or 2040 and it'll be a really good idea then. It's just very slow, the long answer to a very simple question, but I'm just very proud to be involved with that organization just to see what they've done to help bring that power down to the lowest level. So the service and I hope all the other services are paying attention and follow suit.

Speaker 2: 28:49

That's fantastic. I'm very bullish on the DoD and IC's ability to engage industry and just seeing that really speed up in the just the last I'd say three or five years, right, I think, realistically. Just seeing that down to my mortal, everyday person level, my ability to go and speak to a group of people and actually ask them what they want and then get informed of different funding vehicles or opportunities that are out there and just applying to them it's really been different from 10 or 15 years ago where the whole industry was a little bit more opaque and it just was nothing like that, at least from my perspective or my knowledge as a small business person or just a product development person certainly not from the commercial startup world. So seeing that mix and then now every time I go speak someplace so yeah, we'll say AI, right, it's a great example of this is like we're taking commercial tools that are out there and then there's a lot of security questions that are associated with those. So if I want to use Azure and I want to bring Azure to tactical edge, like what am I actually bringing? I'm just growing awareness that chat GPT is not secure, that it's remembering the things that you're putting in there and that you shouldn't post a lot, but people are still doing that and doing it at an alarming level. And I think, as the AI tools proliferate more, or, let's say, more sophisticated interactive tools proliferate, more we'll have to have new types of security, not CMOC, but new types of security that just say, like, what is actually inside of this model, what's actually going on here and how is it making these determinations, and is making these determinations in a way that is secure? So, is it learning in a way that's secure? So I can understand what's happening with IData, like how is it being stored? How is it additionally, being shared? Is it telling me that something is impossible but that's because I don't have a security level? Is that giving me side channel information about it? Is that in and of itself, like a weak signal that should be paying attention to? Is that information in and of itself? There's all these compounding questions as DoD reaches more into the commercial world and comes at commercial speed and we want to use these same kind of tools.

Speaker 2: 31:07

The joke that I make is like I show people the same things that 14-15 year old nerds do on the weekends. I'm like this is like what a kid would use and this is a cool thing that you can build with this little hacking RF tool. Here's what you can do with a flipper zero and it blows their mind. It's like a pocket EW tool. So we want to take those kind of ideas and move them in. But we have to be really careful about taking those ideas and like moving them in at speed but also securely. And software is the ultimate version of that, because it's like a black box, right. What's going on inside that software? I think this is a really interesting conversation.

Speaker 1: 31:41

I think that is one good thing that will come out of our new focus on CMMC and software, build materials and everything else. I think we will be forced to get a better understanding of where our data is going and how it's being secured and not secured, and I think DoD will be better for it. I also think that the policy side of things and some of the culture side will still need to catch up a bit. I agree with you that it's been phenomenal to see the last half decade just how different the relationship is between a particular use startups and the Department of Defense. When I first started doing this in 2016 in DIUX, people would say, like, how are you in Austin, how are you an officer in the Air Force? And like regular clothes doing this work? And then fast forward to 2023 and people would say, oh yeah, my mom just got a Ciber. Yeah, she's got a phase one. It's great, and I think that's what hasn't gotten one too. Yeah, everyone understands now what it is and they're involved, and I think that's such an important thing to have. Again, we've talked a lot about doom and gloom, shrinking the defense industrial base, but I think finding new ways to extend it, bringing newer interests into it. That'll be one of the best things that we can do. We're just on the culture side the policy side. I think DoD still has a little bit of a catch enough to do One of my favorite stories from my time in DIUX, the 2017,.

Speaker 1: 32:49

I was working on a project that was grown out of the DARPA Cyber Grant Challenge to try to use a very basic artificial intelligence, more machine reasoning, to find vulnerabilities in software and exploit them and patch them. It was a really, really cool project and I remember we were looking to put companies on contract and I was talking to someone. It was a guppy, old school, long time guppy, and the dream was that someday this could be done for aircraft software, that you could look at aircraft software, try to find vulnerabilities, patch them, kind of on the fly. And then again, in the last half decade there's been many, many attempts to do that in different levels of success, but I'll never forget what that person said to me. He said I don't think you'll ever be allowed to do that. They will never let you do that because there is no rule that lets you do that.

Speaker 1: 33:35

It's like, okay, there's probably no rule about how to handle atomic weapons in the 1920s, but kind of figured it out, just the idea that there has to be a role for emerging technology that has yet to exist, which is something that stuck with me over the last six years. And again, I think that's the beauty of this dual use startup ecosystem, right, because these companies, these entrepreneurs, are going to come to the DoD over and over again with all of these things of well, you've never done this before, try this, try that. We did this in the industry, we did that, we did that. And DoD is slowly starting to realize we can do some of these things, we can assume some of this risk and, as people that say you can only do things that are explicitly in the rules, hopefully, are slowly starting to retire out.

Speaker 1: 34:15

But it is exciting and I love doing it, whether it's been from the government side, whether it's from the industry side. Government is really that thing that we all can do together, that all of us have some kind of connection to, some kind of responsibility for, and so you know, it's something that we can make fun of sometimes and it's a little bit frustrating, but at the end of the day, it's just so important that we all do this together and then we get the right people and smart people and people like here involved in this space in some capacity to contribute to national security, and if that means meeting C&MC, Zach, that's a wonderful place to end this conversation.

Speaker 2: 34:50

I really appreciate you taking the time to be on the show.

Speaker 1: 34:53

Thanks so much, mike. Oh yeah, I really enjoyed listening to them. I loved listening to David talk about adventure capital. If listeners haven't listened to that one, go check it out Way better than me David Ross said.

Speaker 2: 35:02

Ladies and gentlemen, it is a great episode. So thanks for the shout out and thank you for listening. This has been the startup defense.